Compliance Alliance gets many questions about virtually every aspect of SAR filings. However, an aspect we rarely get questions about is SAR confidentiality. Everyone seems to understand that SARs are confidential and even disclosing information that would reveal whether or not a SAR was filed is prohibited. Thanks to the Anti-Money Laundering Act of 2020 (the AML Act) the extent of SAR confidentiality could be changing.
New Guidance on Organizational Sharing
Pursuant to the AML Act, FinCEN recently issued a notice of proposed rulemaking (NPRM) on what it’s calling a “limited duration pilot program” for banks to share SARs and SAR information with their foreign branches, affiliates, and subsidiaries in an attempt to further lessen financial risks. The comment period for this NPRM will be open until March 28, 2022.
The AML Act was passed in part to improve information sharing, which will be aided by the pilot program. Regardless of when the program begins, it will terminate no later than January 1, 2024 unless FinCEN decides to extend the program, which it is authorized to do so for an additional two years. Banks will not be allowed to share with foreign branches, affiliates, or subsidiaries located in the People’s Republic of China, the Russian Federation, or a jurisdiction that is a state sponsor of terrorism.
Existing Guidance on Structural Sharing
In 2006 the agencies issued guidance on the sharing of SARs with head offices and controlling companies. This guidance stated that a U.S. branch of a foreign bank may share SARs with its main office outside of the U.S., and a U.S. bank may share SARs with its domestic or foreign controlling company. The agencies allowed for this sharing because the enterprise-wide risk management implications for a bank's main office or controlling company in complying with regulatory requirements. However, despite this guidance related to sharing within the same organizational structure, the guidance also stated that banks are required to have written confidentiality agreements or arrangements in place specifying that the main office or controlling company must protect the confidentiality of SARs through internal controls.
In 2010, subsequent guidance was issued related to sharing SARs with bank’s affiliates, which generally allowed for the sharing of SARs and related information with U.S. affiliates that are themselves subject to SAR filing obligations (e.g., money services businesses, residential mortgage lenders, etc.). Sharing was not allowed with foreign branches of U.S. banks because those branches are regarded as foreign banks for purposes of the BSA. This 2010 guidance also indicated that banks should have internal controls such as policies and procedures in place to protect the confidentiality of SARs. Both the 2006 and 2010 guidance indicated that there may be circumstances under which the financial institution, its affiliate, or both entities could be liable for direct or indirect disclosure of a SAR or any information that would reveal the existence of a SAR.
Even after this limited duration pilot program is launched, SARs will still be confidential and there will still be consequences for disclosing SARs or related information. However, sharing in accordance with the pilot program looks to be a little more open and should allow for information to flow through organizations in a way that may be helpful in lessening future financial risks, although this may require that institutions enhance their internal controls in order to safeguard confidential information.